eBay Data Breach Response – How Not to Handle a Crisis

It Took 3 Months To Notice The Breach

eBay, which was recently hit by a cyber attack that exposed the personal data of up to 233 million registered accounts, is now being investigated by three states — Connecticut, Florida, and Illinois — in a joint probe into the e-commerce giant’s security practices.

eBay’s response to the crisis, which unfolded over the past week, has been criticized as being more embarrassing than the attack itself. It took eBay three months to notice the data breach, after which it waited two weeks to make an announcement.

The company then failed to send out a mass email in a timely manner to customers, who were mostly informed via news outlets. When eBay finally posted a warning at the top of its website, it contained a “Learn More” link that led to a blank page (which remains blank at the time of this writing). A few days ago, customers were also confused by empty “Placeholder Text” in PayPal’s blog entry about the data breach.

At the same time, eBay tried to downplay the severity of the data breach, stating that its 145 million active users, rather than its 233 million registered accounts, were affected. It also emphasized that no financial records were exposed, since PayPal had not been breached.

However, eBay confirmed that users’ real names, home addresses, phone numbers, and email addresses had all been leaked.

The right and wrong way to handle data breaches

Major crises like eBay’s data breach quickly expose which companies are well run, and which are not.

Adobe, which had 38 million passwords and the source code to several programs stolen last October, was praised by cybersecurity experts for its quick and honest response to the attack. Adobe, being a Silicon Valley-based tech company, was clearly ready to contain the damage even though its security measures had failed.

On the other hand, Target’s(NYSE: TGT)response to the theft of approximately 40 million credit card records and 110 million personal data records last December was sluggish and disorganized. Target waited for a week before announcing the data breach, and after it did so, it was unprepared to handle the deluge of incoming calls and emails from panicked customers. That poor crisis response ultimately led to the resignation of CEO Gregg Steinhafel earlier this month.

What eBay’s response tells us about eBay’s business

eBay’s response was notably worse than Target’s. First, it waited two weeks instead of one to notify investors and customers. It then ignored the two most obvious ways to contain the damage — sending out a timely mass email to its registered users and posting a large warning at the top of its website.

After customers complained that they were reading about the data breach online without receiving any notifications from eBay, the company responded by telling customers via a tweet that it would “take time” for eBay users to receive the reset email. Meanwhile broken links and “Placeholder Text” just reinforced the perception that eBay was not prepared to handle the crisis.

In a response published by Reuters, cyber forensics expert David Kennedy, the CEO of TrustedSEC LLC, stated that “eBay should be held to a higher standard.”

Do investors matter more than customers?

What’s puzzling about the broken “Learn More” link on eBay’s customer-facing website, www.ebay.com, is that the company’s investor-facing website, www.ebayinc.com, prominently features useful information about the data breach.

No one at eBay took the time to simply connect the broken link on the customer site to the corporate news update. Whether or not that was intentional, it sends a bad message to customers –investors matter more than customers.